Malicious PDF — malware analysis report

Static analysis result for SHA-256 94694cdf4f4542f6…

MALICIOUS

PDF

82.4 KB Created: 2021-03-26 19:05:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f67f27d33312a7314803a1f0b32bbb7 SHA-1: 16bd864b563664fb3602210e7e11a4f2aa1fb40e SHA-256: 94694cdf4f4542f613ab7cd30c7a7857f3815520b4cf15080ecd4e73686c46fc
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent URL suggesting a lure related to 'best pdf annotation ipad pro'. The presence of a 'PDF_SEO_LINK_FARM' heuristic and the ML classifier's high confidence score indicate a malicious intent, likely to drive traffic to malicious sites or distribute further payloads. ClamAV also detected this as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=best+pdf+annotation+ipad+pro
    • http://mukinumatonewo.getenjoyment.net/reinforced_grouted_brick_masonry.pdf
    • http://xogakijukutikep.22web.org/52302884983.pdf
    • http://xitabijasava.getenjoyment.net/lean_management_system_certification.pdf
    • http://zememor.sportsontheweb.net/20157734060.pdf
    • http://nefozufovi.scienceontheweb.net/jaxagiluwezuwarobanuzekor.pdf
    • http://segaruzobuguses.scienceontheweb.net/ampulex_compressa.pdf
    • http://javofekuniti.22web.org/cctv_connection_diagram_wiring_schematic.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/0dddd8a3-5229-4e17-8276-3c5236f51652/xupusasevufutiziwadas.pdf
    • https://uploads.strikinglycdn.com/files/b0f97c84-2431-479d-9b00-7203ee23f6df/14184216371.pdf
    • https://uploads.strikinglycdn.com/files/d3b99bb9-5204-4650-8e9a-4d7695081701/75498230429.pdf
    • https://uploads.strikinglycdn.com/files/989217f3-830f-4cff-b570-a502cf3d9e46/core_radiology_review_course.pdf
    • https://uploads.strikinglycdn.com/files/40909b06-ec7f-4566-9241-0aa55f28ea17/where_to_donate_clothes_and_household_items_during_covid_19.pdf
    • https://7d33af4c-acfd-4996-9436-348e89828b5b.filesusr.com/ugd/289672_07b8d32a5a8140b4bfafd65ca8967203.pdf?index=true
    • https://uploads.strikinglycdn.com/files/be04b65e-1ade-4277-a8c2-9df2a3ae90b2/farberware_12_cup_food_processor_replacement_bowl.pdf
    • https://uploads.strikinglycdn.com/files/e13fef49-c463-483d-92c6-2fde39d47f0d/cuantos_metros_son_un_lote.pdf
    • https://uploads.strikinglycdn.com/files/4ae1bfd0-ea5e-4f64-ae63-16b638ed115d/what_movies_are_being_released_in_2020.pdf
    • https://492f55f4-3442-4b37-b17e-39d9f2f0ae8a.filesusr.com/ugd/7dfe85_ff10fbc6a0764e87b1c21d43be71d94b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/905b5b8a-7c94-4aa7-8407-51605af2ac01/how_to_use_evening_primrose_oil_to_conceive.pdf
    • https://uploads.strikinglycdn.com/files/772cad37-fde8-4129-aad2-d633ebbdc307/bruce_lee_quotes_wallpaper.pdf
    • https://uploads.strikinglycdn.com/files/aaf5c80e-7495-4192-a90e-cafff71240ce/breville_juice_fountain_cold_plus_video.pdf
    • https://uploads.strikinglycdn.com/files/fde82805-38fd-4105-997b-b049a596c84b/39320742285.pdf
    • https://34e223d5-b18a-4f89-96b3-7c58aa965d90.filesusr.com/ugd/440e29_0ac5bb7beb04474eb67f07cb01a672a1.pdf?index=true
    • https://6f12065f-c45d-410c-b048-6ec23fb2b810.filesusr.com/ugd/02ccf7_9771b3f84f6c48a79fb06554235986cc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c27f2ec0-9029-43ff-8c97-673b0319279c/the_human_body_obtains_915_kj_of_energy_from_a_candy_bar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9ab.bin
99fd0c9822439778d0d3f705505c3ceb749ca3a65a75521d4c4c9042ae1e6995		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9AB 4840 bytes
font_01_sfnt_off00010a25.bin
5557b471184cc4af8d3da4f0d4a14081b0786b6490efc3c2c3092284bb45f183		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A25 10424 bytes
font_02_sfnt_off00012de3.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DE3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.